Until recently, we hadn’t witnessed any enforcement action under the General Data Protection Regulation (GDPR). But, nearly 12 months on from its implementation, some initial penalties have now been levied. Google’s recent €50 million penalty from the French National Data Protection Commission is just one example.
For funds, the GDPR applies not only to entities established within the EU, but also those located outside the EU that target it in some way – meaning many funds outside of the bloc can be caught inadvertently where EU-derived investments are made. As we approach the first birthday of the GDPR, Google’s example provides a reminder of the need to ensure continued compliance. As the enforcement priorities of regulators come into focus, the message to business is clear: watertight GDPR processes are crucial for avoiding fines in the future.
Preparedness is key. Even before the subscription process, funds should remember that data processing commences as early as initial marketing to potential investors. Funds should assess whether or not the GDPR applies to the data-processing activities. If this is the case, compliance steps are clear.
Firstly, you should create a data map: itemising processing activities and listing the categories of personal data processed and their legal basis/purposes. It’s also sensible to record third-party recipients of data and their location within this data map.
It may sound obvious, but it is critical for funds to establish and maintain both internal and external data protection processes. Internal processes should outline data security, what data is collected and why, and how employees must treat personal data. As certain breaches must be notified to data protection authorities within 72 hours, a breach notification process is also crucial. External processes should inform subjects why their data is collected and the legal basis on which it is processed, whilst also highlighting their data rights.
A common GDPR tripwire for funds is also the distinction between ‘processors’ (e.g. administrators) and ‘joint controllers’ (e.g. fund managers). Different contractual requirements apply to each recipient, so fund managers need to read up on this.
Processor agreements must contain clauses around data security and access for the fund manager mandated by Article 28(3), whereas joint-controller agreements should contain clauses typically found in ‘controller-to-controller’ agreements requiring each party to comply with their controller obligations.
Leave nothing to chance; the regulator has made clear it will be pursuing those funds that have not properly considered compliance or have attempted to do so on the cheap.
A growing number of EU-based funds are also reporting issues raising money from investors in the US over EU data protection rules. Some funds are reporting that they are being refused US SEC approval, on the basis that they are unable to provide the SEC with access to EU books and records to satisfy its remit to protect US investors. This has reportedly left some EU-based managers unable to manage money for US clients.
Whilst there are arguably exemptions within the GDPR that could be explored to permit such sharing, this conflict between US and EU laws highlights why data protection should firmly remain on a fund manager’s radar.
By Steve Farmer, partner with Pillsbury Winthrop Shaw Pittman
©2019 funds europe